47 Safety in Processes: Rules, Standards, 
Certification, Culture, and Management 

ASISH GHOSH 


PARTIAL LIST OF PROGRAMMABLE SAFETY SYSTEM 
SUPPLIERS FOR PROCESS INDUSTRIES 

ABB (http://www.abb.com/) 

Emerson (http://www.emerson.com/en-US/Pages/Home. 
aspx) 

GE Fanuc (http://www.ge-ip.com/products/family/ 
automation) 

HIMA (http://www.hima.com/) 

Honeywell (http://www5 1 .honey well.com/honey well/) 
Invensys (Triconex) (http://www51.honeywell.com/ 
honeywell/) 

Rockwell (http://www.rockwellautomation.com/) 

Siemens (http://www.siemens.com/ ) 

Yokogawa (http://www.yokogawa.com/) 

PARTIAL LIST OF SUPPLIERS FOR CRITICAL 
CONDITION MANAGEMENT 

Gensym (http://www.gensym.com/) 

Emerson (http://www.emerson.com/en-US/Pages/Home. 
aspx) 

Honeywell (http://www51.honeywell.com/honeywell/) 
Matrikon (http://www.matrikon.com/) 

Plant Automation Services (PAS) (http://www.pas.com/) 

PARTIAL LIST OF SUPPLIERS FOR SAFETY 
LIFECYCLE MANAGEMENT SOFTWARE 

ABB Eutech (http://www.abb.com/) 

ACM (http://www.acm.ab.ca) 

Dyadem (http://www.dyadem.com/) 

Exida (http://www.exida.com/) 

Primatech (http://www.primatech.com/software/ ) 

SIS-Tech (http://www.sis-tech.com/) 

INTRODUCTION 

Since the publication of IEC 61508 safety standard [1] 
and the IEC 61511 standard for process safety [2], inter- 
est in rigorous safety analysis and applying certified safety 


instrumented systems (SISs) have increased considerably 
among the user community. As users become more knowl- 
edgeable about safety issues, they increasingly focus on over- 
all safety. Today’s users want their safety systems to satisfy 
their requirements in a more cost-effective way. Often, they 
accomplish this through closer integration of safety and con- 
trol systems. They look for a flexible architecture with more 
scalability. They also look for increased functionality to be 
able to modify alarm limits based on process conditions and 
perform orderly shutdown procedures in case of an emer- 
gency. Today, the major trends in safety systems are 

• Increased focus on overall safety 

• Closer integration with control systems 

• Increased flexibility and scalability 

• Increased function block capabilities 

Both IEC 61508 and 61511 are performance-based standards. 
As such, they do not mandate any specific safety system 
architecture or risk assessment procedures. However, they 
do provide considerable guidance on safety lifecycle, haz- 
ards and risk analysis, and methods for determining safety 
requirements. 

Safety system certifications objectively assess the reli- 
ability and availability of critical control and safety shutdown 
systems and related products. TUV (acronym for Technischer 
Uberwachungs-Verein) organizations in Germany have been 
in the forefront of inspection and certification of safety-related 
systems in Germany and worldwide. In choosing a safety sys- 
tem, users should not only take into account all the features, 
but also the specified restrictions as spelled out by the certifi- 
cation authority. This information is often found in the prod- 
uct’s safety manual. In choosing a system supplier, which is 
at least as important as system evaluation, users should take 
into account the supplier’s knowledge and experience in safety 
analysis, application knowledge, and local support capabilities. 

RISK REDUCTION 

Risk is usually defined as the combination of the severity and 
probability of an unplanned event. That is, how often can it 

716 


© 2012 by Bela Liptak 


47 Safety in Processes: Rules, Standards, Certification, Culture, and Management 717 


TABLE 47.1 

Factors That Increase Risk 

Operating plant and machinery closer to their limits 

Transient operation states 

Use of hazardous raw materials 

Manufacture of hazardous intermediates 

Presence of untrained personnel 

Absence of safety culture 


happen and how serious are the consequences when it does. 
The type of events and their associated risks in manufactur- 
ing operations include fires, explosions, or other incidents 
resulting in human injuries or deaths, plus environmental 
impact, loss of capital equipment, and lost production. For 
many manufacturers, loss of company image can also be 
a significant risk factor, since this is often directly associ- 
ated with both customer and shareholder acceptance. With 
increased environmental awareness, regulatory concerns, 
and threat of litigation, risk reduction is becoming increas- 
ingly important to most manufacturers (Table 47.1). 

The best way to reduce risk in a manufacturing plant is 
to design inherently safe processes. However, inherent safety 
is rarely achievable in today’s manufacturing environments. 
Risks prevail wherever there are hazardous or toxic materials 
stored, processed, or handled (Figure 47.1). 

Since it is impossible to eliminate all risks, a manufac- 
turer must determine an acceptable level of risk for its own 
operations. After identifying the hazards, a manufacturer 
should perform a study to evaluate each risk situation by con- 
sidering likelihood and severity. The risk evaluation study 
should also consider site-specific conditions, such as popu- 
lation density, in-plant traffic patterns, and meteorological 
conditions. 


Risk levels generated by safety studies enable manufac- 
turers to determine whether the risks are within acceptable 
levels. Basic process control systems, along with process 
alarms and facilities for manual intervention, provide the 
first level of protection and reduce the risk level in a manu- 
facturing facility. Additional protection measures are needed 
where a basic control system does not reduce the risk to an 
acceptable level. These include safety-instrumented systems, 
hardware interlocks, relief valves, and containment dikes. To 
be effective, each protection subsystem should act indepen- 
dently of all others (Table 47.2). 


HISTORY 

In the early days of process control, commonly used alarm- 
ing and safety interlocking devices included pressure, flow, 
level, and temperature switches. These switches were simple 
mechanical or electromechanical devices that, upon detec- 
tion of hazardous conditions, activated valves, motors, and 
other plant equipment to bring a process to a safe state. Other 
mechanical protection devices, still employed today, include 
electrical fuses, safety valves, and rupture disks. 

While the development of electromechanical and 
solid state relays allowed sophisticated safety systems to 
be designed for process industries, these were difficult to 
program and interface with the computer-based systems 
increasingly used for process control. This gave rise to pro- 
grammable safety systems in the early 1970s. Programmable 
safety systems provide the scalability, flexibility, and ease of 
configuration that we expect from today’s control systems 
(Table 47.3). 

August Systems pioneered the development of program- 
mable safety systems. Triconex and Triplex soon followed 



FIG. 47.1 

Reducing risk. 


© 2012 by Bela Liptak 


718 Process Management, Maintenance, Safety, and Reliability 


TABLE 47.2 

Driving Forces for Lowering Risks 
Higher environmental awareness 
Increased regulatory considerations 
Emergence of safety standards 
Maintaining company image 


TABLE 47.3 

Typical Applications of Safety Systems 

Emergency shutdown 

Fire and gas monitoring and protection 

Critical process control 

Burner management and control 

Turbine and compressor control 

Unmanned installations 


with their own systems. These three suppliers developed 
triple modular redundant (TMR) systems, where three inde- 
pendent, parallel processors (called “logic solvers”) with 
extensive diagnostics are integrated into a single system. At 
each decision point within the system, the system performs 


a two-out-of-three (2oo3) vote to determine failures and 
guarantee safe operations (Figure 47.2). 

A dual redundant system with extensive diagnostics 
(duplex) is the other common safety system design. Here, two 
identical processors are configured as a married pair to check 
the health of the system (loo2D). In this arrangement, two 
identical processors run in parallel using the same inputs, 
while the output of only one of the modules is used for con- 
trol at any given time. The system always compares the out- 
puts of both processors to ensure that they are synchronized 
and identical. If they disagree, the system invokes diagnos- 
tics to determine which of the two is still reliable, and that 
processor is used to continue the process or shut it down to 
a safe state. The systems also generate appropriate messages 
for fixing the failed processor (Figure 47.3). 

Another type of safety system now available is the qua- 
druple modular redundant (quad) system. The quad architec- 
ture provides four (4) processors — two per channel (2oo4). 
This can be viewed as a pair of duplex systems with diag- 
nostics. Both pairs of active processors operate synchro- 
nously with the same user program. A hardware comparator 
and a separate fail-safe watchdog monitor the operation of 
each pair of processors to diagnose and resolve anomalies 


Input 



Output 


FIG. 47.2 

Typical TMR system. 




FIG. 47.3 

Typical duplex system. 


© 2012 by Bela Liptak 


















47 Safety in Processes: Rules, Standards, Certification, Culture, and Management 719 



FIG. 47.4 

Typical quad system. 

(Figure 47.4). The safety and availability of quad, TMR, 
and duplex systems are comparable. The quality of diagnos- 
tics and other implementation issues define the differences. 
Increased safety awareness, impact of various regulatory 
agencies, and publication of safety standards have led to 
rapid growth in demand for safety systems in recent years. 
Many distributed control system (DCS) and programmable 
logic controller (PLC)-based control system suppliers now 
eagerly try to gain a share of this market. 

SAFETY STANDARDS AND INTEGRITY LEVELS 

The IEC 61508 safety standard published by International 
Electrotechnical Commission (IEC) applies to a wide range 
of industries and applications. The standard is intended both 
as the basis for the preparation of more specific standards and 
for standalone use. IEC 61511 is the more specific interna- 
tional safety standard for process industries. 

Since the publication of IEC 61508 and IEC 61511 stan- 
dards, interest in rigorous safety analysis and applying certified 
SISs have increased considerably among the user community. 
These standards give guidance on good practice and offer 
recommendations, but do not absolve users of responsibility 
for safety. The standards not only deal with technical issues, 
but also include planning, documentation, and assessment of 
all activities. Thus, the standards deal with the management 
of safety throughout the entire life of a system. 

IEC 61508: General Safety Standard 

The IEC 61508 standard is in seven parts: 


• Part 3: Software requirements 

• Part 4: Definitions and abbreviations 

• Part 5: Examples of methods for the determination of 
safety integrity levels (SILs) 

• Part 6: Guidelines on the applications 

• Part 7: Overview of techniques and measures 

This generic standard can be used directly by industry as a 
standalone standard, and as a basis for developing industry- 
specific standards, such as for the machinery sector, the pro- 
cess sector, or for the nuclear sector. The IEC 61511 standard 
is more specific to the process industries. 

IEC 61511: Safety Standard for Process Industries 

While IEC 61508 is in seven parts, IEC 61511 has only three: 

• Part 1: Framework, definitions, system, hardware, and 
software requirements 

• Part 2: Guidelines on the application 

• Part 3: Guidance for the determination of the required 
SILs 

Part 1 of IEC 61511 is primarily normative, while Parts 2 and 
3 are informative. Part 1 is structured to adhere to a safety 
lifecycle model similar to that in the IEC 61508 standard. 
The hazard and risk analysis utilizes the notion of protection 
layers and specifies the SIL concept developed by IEC 61508 
standards (Figure 47.5). It also lists key issues that need to be 
addressed when developing a safety requirement specifica- 
tion. This part also addresses issues, such as separation of 
control and safety, failure due to common cause, response 
to fault detection, hardware reliability, and on proven-in-use 
systems (Table 47.4). 

This part of the standard also includes software safety 
requirement specifications, addressing such items as 
architecture, relationship to hardware, safety instrument 



• Part 1: General requirements f / fi , 47,5 

• Part 2: Requirements for safety-related systems Protection layers. 


© 2012 by Bela Liptak 








720 Process Management, Maintenance, Safety, and Reliability 


TABLE 47.4 

Main Differences between IEC 61508 and IEC 61511 Standards 

IEC 61508 IEC 61511 

Generic safety standard for broad range of applications Sector-specific safety standard for the process industries 
Applies to all safety-related systems and external risk Applies only to safety-instrumented systems 
reduction facilities 

Primarily for manufacturers and suppliers of safety Primarily for system designers, integrators, and users of 

systems and devices safety systems 


functions, SIL, software validation planning, support tools, 
testing, integration, and modification. In addition, one sec- 
tion is dedicated to factory acceptance testing requirements, 
and another section lists the installation and commissioning 
requirements. 

Part 2 of the standard provides “how to” guidance on the 
specification, design, installation, operation, and mainte- 
nance of safety instrumented functions (SIFs) and related SIS 
as defined in Part 1 of the standard. 

Part 3 provides guidance for developing process hazard and 
risk analysis. It provides information on 

• The underlying concepts of risk and the relationship of 
risk to safety integrity 

• The determination of tolerable risk 

• A number of different methods that enable the SILs 
for the SIFs to be determined 

It also illustrates proven-in-use methods from different coun- 
tries. It further illustrates good engineering practices across 
cultural and technological differences, providing the end- 
user with effective methods from which to select. 

ANSI/ISA-84 Standard 

The ANSI/ISA-84 safety standard was published in 1966. As 
such, it predates the IEC 61508 safety standard, but it has 
been updated. The new version of ANSI/ISA-84.01 Standard 
[3], released in 2004, is nearly identical to IEC 61511 safety 
standard. However, a grandfather clause in the new version 
allows the continued use of safety systems that follow the 
original version of the standard. 

It bears repeating that the safety standards give guid- 
ance on good practice and offer recommendations, but do 
not absolve users of responsibility for safety. The standards 
recognize that safety cannot be based on retrospective proof, 
but must be demonstrated in advance, and there is no such 
thing as a perfectly safe system. Therefore, the standards not 
only deal with technical issues, but also include planning, 
documentation, and assessment of all activities. Thus, the 
standards deal with the management of safety throughout the 
entire life of a system. The standards bring safety manage- 
ment to system management and safety engineering to soft- 
ware engineering. 


Safety Integrity Levels 

Safety integrity is defined as the likelihood of a SIS sat- 
isfactorily performing the required safety functions under 
all stated conditions, within a stated period. A SIL is 
defined as a discrete level for specifying the safety integrity 
requirements of safety functions. While a SIL is derived 
from an assessment of risk, it is not a measure of risk. It is 
a measure of the intended reliability of a system or function 
(Table 47.5). 


SAFETY LIFECYCLE MANAGEMENT 

To ensure safety, the standards specify safety lifecycle activi- 
ties that need to be followed over the entire life of a pro- 
duction system. Safety lifecycle management is a method or 
procedure that provides the means to specify, design, imple- 
ment, and maintain safety systems in order to achieve overall 
safety in a documented and verified manner. It offers a sys- 
tematic approach to safety, from an initial hazard and risk 
analysis, to safety system implementation, and ultimately, 
through system decommissioning. 

All major safety standards (ANSI/ISA-84-01-2004, IEC 
61508, IEC 61511, etc.) have specified similar safety lifecy- 
cles, differing only in the details. The IEC 61511 standard 
specifies 12 steps in the safety lifecycle. These are segmented 
into four major phases: analysis, realization, maintenance, 
and ongoing functions (Figure 47.6). 


TABLE 47.5 

Safety Integrity Levels (SILs) 


Probability of Failure on 

Probability of Failure on 

SIL 

Demand Mode of Operation 

Continuous Mode of Operation 

1 

SlO- 2 to <10- 1 

>10 -6 to <10 -5 

2 

>10 -2 to <10 -2 

>10 -7 to <10 -6 

3 

>10- 4 to <10~ 2 

>10 -8 to <10 -7 

4 

IV 

o 

o 

A 

o 

-k- 

>10 -9 to <10~ s 

Note: 

Demand mode, where actions 

are taken in response to process 


or other conditions (no more 

than once per year). Continuous 


mode, function, which implements continuous control to main- 
tain functional safety. 


© 2012 by Bela Liptak 


47 Safety in Processes: Rules, Standards, Certification, Culture, and Management 721 


Ongoing functions 





's-l 

a> 

> 


FIG. 47.6 

Safety lifecycle. 


Safety Lifecycle I: Analysis Phase 

The analysis phase includes the initial planning, identifica- 
tion, and specification of safety functions required for the 
safe operation of a manufacturing process, including doc- 
umentation of the safety requirements. Specific activities 
include 

• Perform Hazard and Risk Analysis: Determine haz- 
ards and hazardous events, the sequence of events 
leading to hazardous condition, the associated pro- 
cess risks, the requirements of risk reduction, and the 
safety functions required. 

• Allocate Safety Functions to Protection Layers: Check 
the available layers of protection. Allocate safety func- 
tions to protection layers and safety systems. 

• Specify Requirements for Safety System: If tolerable 
risk is still out of limit, then specify the requirements 
for each safety system and their SILs. 

Safety Lifecycle II: Realization Phase 

The realization phase includes not only design, installation, 
and testing of safety systems, but also the design, develop- 
ment, and installation of other effective methods of risk 
reduction, such as mechanical trips and barriers. Specific 
activities include 


• Design and Engineer Safety System: Design system to 
meet the safety requirements. 

• Design and Develop Other Means of Risk Reduction: 
Means of protection other than programmable safety 
systems include mechanical systems, process control 
systems, and manual systems. The standard does not 
specify these in any detail. 

• Install Commission and Validate the Safety 
Protections: Install and validate that the safety system 
meets the all safety requirements to the required SILs. 

Safety Lifecycle III: Maintenance Phase 

The maintenance phase begins at the startup of a process and 

continues until the safety system is decommissioned or rede- 
ployed. Specific activities include 

• Operate and Maintain: Ensure that the safety sys- 
tem functions are maintained during operation and 
maintenance. 

• Modify and Update: Make corrections, enhance- 
ments, and adaptations to the safety system to ensure 
that the safety requirements are maintained. 

• Perform Decommissioning of Safety System: Conduct 
review and obtain required authorization before 
decommissioning of a safety system. Ensure that the 
required safety functions remain operational during 
decommissioning. 


© 2012 by Bela Liptak 




722 Process Management, Maintenance, Safety, and Reliability 


Safety Lifecycle IV: Ongoing Functions 

Certain functions are ongoing. Examples include managing 
functional safety, planning and structuring safety lifecycle, 
and performing periodic safety system verification and safety 
audits over the whole lifecycle. These are shown as vertical 
boxes in Figure 47.6. Specific activities include 

• Manage Functional Safety, Safety Assessment, and 
Safety Audit: Identify the management activities that 
are required to ensure the functional safety objectives 
are met. 

• Plan and Structure Safety Lifecycle: Define safety 
lifecycle in terms of inputs, outputs, and verification 
activities. 

• Verify Safety System: Demonstrate by review, analy- 
sis, and/or testing that the required outputs satisfy 
the defined requirements for each phase of the safety 
lifecycle. 

Activities for Phases I— III are normally carried out con- 
secutively, while Phase IV runs concurrently with the other 
phases. However, like all models, the safety lifecycle is an 
approximation. In reality, there are significant iterations 
between phases. Requirements of some of the functions, 
such as hazard and risk analysis, allocation of safety func- 
tions to protection layers, and designing and developing other 
means of risk reduction are not specified in any detail in the 
standard. 

Safety Lifecycle Implementation Problems 

Issues that inhibit manufacturers from fully implementing 
safety lifecycle practices, include 

• Absence of a safety culture 

• Lack of knowledge or expertise 

• Other competing priorities 

• Lack of appropriate software tools or packages 

• Perceived inadequate return on investments 

• Inadequate funding 

Research indicates that a majority of safety system users are 
aware of and would like to follow safety lifecycle manage- 
ment practices [4|. However, the lack of detailed technical 
knowledge and implementation expertise are high on the list 
of issues inhibiting them from following the practices to a 
full extent. Competing priorities are also high on this list. 

Most users generally follow the analysis phase with fair 
rigor. Quality of implementation (realization phase) varies 
with the specific knowledge and skill of the implementers, 
such as SIS suppliers and system integrators. However, in a 
large number of cases, users do not properly follow proper 
practices in the maintenance phase. Users, who are pri- 
marily responsible for the maintenance phase, often do not 


perform necessary testing at regular intervals and do not per- 
form proper procedures for modification and updates. This is 
largely because of the lack of knowledge and training among 
the operation and maintenance staff in SIS user organizations. 

Understandably, the companies that have detailed knowl- 
edge of the safety lifecycle model and the requirements of 
IEC 6151 1/ISA-S84 usually do a much better task of applying 
and following the concepts compared to those who are not 
very familiar with the requirements. Many have not taken the 
time to understand the requirements and lack enough knowl- 
edge to follow them through all steps. Usually, the lack of 
knowledge is more evident at the management level than in 
the technical level. 

When implementing lifecycle functions, a majority of 
users utilize the expertise of suppliers, system integrators, 
or other safety experts in addition to their in-house staff. 
However, there is a significant cost involved in obtaining 
the services of these consultants and the perception in some 
quarters is that the high cost cannot be readily justified. 

Implementation of safety lifecycle practices var- 
ies more by company and by geography than by industry. 
Manufacturers in the developing nations often lack adequate 
knowledge on safety issues. Hopefully, that will change in 
the near future. 

Safety Lifecycle Solution Providers 

Some major users of safety systems have adequately trained 
in-house expertise to support their lifecycle management. 
However, many others have inadequate or little expertise in 
this area. These users rely partly or fully on the safety system 
suppliers, system integrators, or independent safety consult- 
ing companies for safety lifecycle management. 

Most of the large safety system suppliers maintain teams 
of lifecycle management experts whose services they offer to 
current and prospective clients. However, the organizational 
structure of these teams varies between suppliers. So far, the 
safety system suppliers have mainly focused on safety life- 
cycle consulting, rather than on offering packaged tools to 
their clients. Some of these suppliers have developed toolsets 
that help their own safety experts to perform their tasks more 
efficiently. 

Independent safety solution providers are in the fore- 
front in offering packaged toolsets for safety lifecycle man- 
agement. These are smaller organizations that offer safety 
consulting and generally have a very high level of safety 
expertise. Today, these companies are largely filling the void 
for packaged toolsets for safety analysis and safety realiza- 
tion. However, there is still a void when it comes to safety 
system maintenance, with little available today. Packaged 
toolsets should become more commonly available within the 
next few years. 

Following are examples of some of the independent safety 
lifecycle solution providers and their products. However, the 
list is not exhaustive. 


© 2012 by Bela Liptak 


47 Safety in Processes: Rules, Standards, Certification, Culture, and Management 723 


ABB Eutech 

Trip requirement and availability calculator (TRAC) is a 
PC-based software tool used to assist engineers in deter- 
mining the optimum design configuration and periodic test 
intervals for safety systems. It provides a systematic and con- 
sistent approach to calculating required integrity level and 
trip test interval for services relating to safety, environmen- 
tal, and asset loss. 

Trip and alarm management (TRAMS) is a PC-based 
software package for the management, scheduling reporting 
and data storage of technical specifications, for plant trip and 
alarm safety or product critical systems. 

ACM 

SilCore is an IEC-compliant safety lifecycle tool that allows 
SIL determination, validation, and optimization. It has been 
used successfully on onshore and offshore projects, which 
can integrate all aspects of the SIL lifecycle — from import- 
ing risk assessment (i.e., hazard and operability [HAZOP]) 
data through to enabling facility operators to manage the 
integrity of safety and critical control systems. 

Dyadem 

PHA-Pro provides expert guidance for studying a full range 
of facilities to help companies identify hazards. The software 
simplifies process safety management (PSM) with a series of 
templates and a preformatted worksheet. It allows the pro- 
duction of consistent and auditable documentation in HTML, 
Microsoft Word, and other formats. 

FTA-Pro offers a top-down approach to fault tree analy- 
sis (LTA), starting with a potential undesirable event — called 
a top event — and then determining all the different ways in 
which it can occur. It generates graphical representation of 
the relationship between an undesired potential event and all 
its probable causes. Based on that, mitigation measures can 
be developed to minimize the probability of the undesired 
events. 

Exida 

SILHazop is a part of SILSuite, a modular set of software 
tools that has been widely used by leading refining and 
chemical companies worldwide. It offers lifecycle analysis 
with simplistic line and node tracking, assigned severity by 
“cause/consequence pairs,” proposed safeguards and flags for 
SIL determination, facilities to raise actions during HAZOP, 
managed action responses and HAZOP close-out, and com- 
prehensive user defined reporting. 

The exSILentia provides fully customizable SIL selection 
options such as risk graph, hazard matrix, and frequency- 
based targets. In addition, a complete SIP SRS template 
ensures completeness in requirements definition. exSILentia 


contains a comprehensive SIL verification program, SILver, 
allowing extensive SIF definition, and an IEC 61508 approved 
calculation engine based on the Markov Modeling tech- 
nique. The exSILentia has direct access to the exida Safety 
Equipment Reliability Handbook equipment items, speeding 
up the process of SIL verification by allowing users to select 
equipment items from the Handbook without having to enter 
reliability data. 

Primatech 

AUDITWorks assists in the preparation and documentation 
of safety and environmental compliance audits. It provides 
guidance in conducting audits, a framework in which to 
record audit results including data management capabilities, 
and protocols for evaluating compliance. A variety of check- 
lists are available in AUDITWorks containing questions that 
can be used to audit various programs, including OSHA’s 
PSM and EPA’s Risk Management Program regulations. It 
allows auditing against government regulations, industry 
standards, and a client’s own health, safety and environmen- 
tal standards. 

PHAWorks is a specialized tool for conducting process 
hazards analysis (PHA) for small to large systems. It allows 
conducting PHA studies using different techniques such as 
HAZOP, WHAT If, FMEA, PrHA, and Checklist. 

Tracker allows the user to track items from conception 
to completion. These items can come from process safety 
studies or from other sources. Tracker not only manages the 
status of tracked items, but also acts a management tool to 
generate up-to-date status reports and cost reports. 

SIS-Tech 

SIL Solver integrates an extensive device database with sim- 
plified FTA equations to provide you with an SIL verifica- 
tion tool that delivers significant cost and time savings. The 
software runs on a Microsoft Windows platform and utilizes 
standard user interface components that allow easy and quick 
modeling of safety functions. It calculates the probability to 
fail on demand average and the mean time to failure spuri- 
ous, ensuring the designing of a system that not only meets 
target SIL, but also reliability goals. 


PROCESS SAFETY MANAGEMENT RESPONSIBILITIES 

The standards define requirements for overall safety manage- 
ment, rather than just for system development. Not all safety 
lifecycle phases will be of equal relevance to every appli- 
cation and management is responsible for defining which 
requirements are applicable in each case. The standards do 
not prescribe exactly what should be done in any particu- 
lar case, but guides management toward decisions and offers 


© 2012 by Bela Liptak 



724 Process Management, Maintenance, Safety, and Reliability 


TABLE 47.6 

Better Safety Lifecycle Management 

Recommendation for Better Safety Lifecycle Management 

Given due importance to safety lifecycle management if you have 
hazardous process or manufacture, store, or handle hazardous 
materials 

Given safety the highest priority and follow all the major phases of 
lifecycle management 

For greater efficiency, use software tools and packages for safety 
lifecycle management whenever possible 

Use the service of trained safety experts that can guide you through al 
the phases of lifecycle 

Consider whether you may maintain such expertise in-house or utilize 
outside help from safety system suppliers, system integrators, safety 
consulting 

Train your operating and maintenance staff to effectively support the 
maintenance phase 

For effective management, cultivate a robust safety culture throughout 
your organization, which is supported at the highest levels 


advice. Management continues to be responsible for taking 
appropriate actions and justifying them. 

Management responsibilities include rigorous safety 
planning, including the choice of safety lifecycle phases to 
be used, and the activities to be carried out within those 
phases. However, the users should realize that safety systems 
by themselves do not achieve safety. People working within a 
strong safety culture achieve greater safety and it is manage- 
ment's responsibility to foster and maintain such a culture 
(Table 47.6). 

HAZARD AND RISK ANALYSIS 

A fundamental principle of the standards is that safety 
requirements should be based on analysis of the risks posed 
by a manufacturing system along with its control system. The 
analysis consists of three stages — hazard identification, haz- 
ard analysis, and risk assessment. 

A hazard is defined as a potential source of harm. A 
manufacturing system and its control system may pose many 
hazards, each carrying its own risk. To determine the nec- 
essary overall risk reduction, the risk posed by each hazard 
must be considered. Hazard identification is critical, since the 
risks associated with unidentified hazards cannot be reduced. 
Hazard identification is unlikely to be effective if carried out 
by an individual. A well-managed team with defined objec- 
tives, whose members are chosen to bring complimentary 
viewpoints to the process, can perform hazards analysis 
more effectively than can a single individual. 

As mentioned before, the IEC 61508 and 61511 are per- 
formance-based standards. As such, they do not mandate any 
specific safety system architecture or risk assessment proce- 
dures. However, they provide guidance in the areas of risk 



FIG. 47.7 

Tolerable risk and ALARP. Risk class I: Risk cannot be justified 
except in extraordinary circumstances. Risk class II: Risk is toler- 
able only if further risk reduction is impracticable or its cost is 
grossly disproportionate to the improvements gained and society 
desires the benefit of the activity given the associated risk. Risk 
class III: Level of residual risk regarded as negligible and further 
measures to reduce not usually required. Note: There is no rela- 
tionship between risk class and SIL. 


assessment and risk reduction. Following are some of the risk 
assessment and SIL determination concepts as outlined in 
the IEC 61511 standard Part 3. Detailed descriptions of these 
techniques are beyond the scope of this chapter. For more 
details, readers should refer to the IEC 61511 standard or the 
textbooks listed under Bibliography at the end of this chapter. 

As Low as Reasonably Practical 

The “as low as reasonably practical (ALARP)” principle may 
be applied to determine tolerable risk and SILs. However, it 
is not, in itself, a method for determining SILs. Tolerable risk 
implies that it is not possible to achieve absolute safety. A 
level of risk may be considered tolerable, based on the benefit 
gained in taking the risk, provided it is ALARP. The ALARP 
triangle is divided into three regions with the width at any 
point indicating the magnitude of the risk (Figure 47.7). 
Risk class I represent risks that cannot be justified except in 
extraordinary circumstances. Risk class III represents risk 
that is so low as to be negligible and is thus acceptable with- 
out any further risk avoidance measures. Risk class II in the 
middle represents risk that can only be tolerated if measures 
have been taken to reduce it to ALARP. 

The concept of ALARP can be used when qualitative or 
quantitative risk targets are adopted. To apply ALARP prin- 
ciple, it is necessary to define the three regions in terms of the 
probability and consequence of an incident. The interested 
parties should work together to jointly determine this risk. 
This would include those producing the risks, those exposed 
to the risks, and the safety regulatory authorities. Table 47.7 
is an example of the three risk classes for a number conse- 
quences and frequencies. After determining the tolerable 
risk target, it is then possible to determine the SILs of safety- 
instrumented functions. 


© 2012 by Bela Liptak 


47 Safety in Processes: Rules , Standards, Certification, Culture, and Management 725 


TABLE 47.7 

Example of Risk Classification of Incidents 


Probability 

Catastrophic 

Critical 

Marginal 

Negligible 

Frequent 

i 

i 

i 

ii 

Probable 

i 

i 

ii 

ii 

Occasional 

i 

ii 

ii 

ii 

Remote 

ii 

ii 

ii 

hi 

Improbable 

ii 

hi 

hi 

hi 

Incredible 

ii 

hi 

hi 

hi 

The probability of occurrence is 

defined as 

follows: frequent, many 


times in the system’s lifetime; probable, several times in the 
system’s lifetime; occasional, once in the system’s lifetime; 
remote, unlikely during the system’s lifetime; improbable, 
very unlikely; incredible, absolutely improbable. The conse- 
quences are defined as follows: catastrophic, multiple loss of 
life; critical, loss of a single life; marginal, major injuries to 
one or more person; negligible, minor injuries. 

Note: The risk classes are application dependent. 

Methods for Determining Safety Integrity Level 

IEC 61511 Part 3 standard specifies a number of ways to 
establish the required SILs for a specific application. The 
methods selected for a specific application depends on many 
factors, such as 

• Application complexity 

• Guidelines from regulatory authorities 

• Nature of the risk and the risk-reduction requirements 

• Experience and skills of the persons available to 
undertake the work 

• Information available on the parameters relevant to 
the risk 

More than one method may be used in an application. A 
qualitative method may be used first, followed by a more 
rigorous quantitative method, if needed. Qualitative methods 
outlined in the standard include 

• Safety reviews 

• Checklists 

• What if analysis 

• HAZOP 

• Failure mode and effects analysis 

• Cause-consequence analysis 

HAZOP analysis is one of the more widely used techniques. 
It identifies and evaluates hazards in process plants and 


non-hazardous operability problems that compromise its 
ability to achieve design productivity. Table 47.8 is an exam- 
ple of the results of a HAZOP analysis. 

Semi-Quantitative Risk Analysis Techniques 

An estimate of the process risk can be made by a semi-quan- 
titative risk-analysis procedure that identifies and quantifies 
the risks associated with potential process accidents or haz- 
ardous events. The results can be used to identify necessary 
safety functions and their associated SIL in order to reduce 
the process risk to an accepted level. Following are the main 
steps of this technique. The first four steps can be performed 
during the HAZOP study: 

• Identify process hazards 

• Identify safety-layer composition 

• Identify initiating events 

• Develop hazardous event scenarios for every initiating 
event 

• Ascertain the frequency of occurrence of the initiat- 
ing events and the reliability of existing safety systems 

• Quantify the frequency of occurrence of significant 
hazardous events 

• Integrate the results for risks associated with each 
hazardous event 

The above exercise provides a better understanding of haz- 
ards and risks associated with a process and helps identify 
safety functions needed to reduce risks to acceptable levels. 

Risk Graph 

Risk graph is a method for evaluating SILs (Figure 47.8). This 
method focuses on evaluating risk from the point of view of 
a person who would be exposed to the incident impact zone. 
Risk graphs use four parameters to characterize a potential 
hazardous event: consequence, frequency of exposure, pos- 
sibility of escape, and likelihood of events. To assess the con- 
sequence severity, the following are considered: 

• Potential for injury or fatality 

• Possibility of the exposed person recovering and 
returning to normal activities 

• The effects of injury — acute or chronic 

The resulting SILs are shown in columns. 


TABLE 47.8 

Example of a HAZOP Report 

Item Deviation 

Cause 

Consequence 

Safeguards 

Recommendations 

Reactor High level 

Failure of control system 

High pressure 

Operator 


High pressure 

High level 

Release to environment 

Alarm, protection layer 

Evaluate conditions for release to 


External fire 


Fire deluge system 

environment 

Low flow 

Failure of control system 

Excess pressure 

Operator 

Open pressure release valve manually 


© 2012 by Bela Liptak 


726 Process Management, Maintenance, Safety, and Reliability 



Consequence of event a=No special safety requirement 

Cl=Minor injury b=A single safety system is not sufficient 

C2=Serious permanent injury to one or more 1, 2, 3, 4=Safety integrity level 

persons, death to one person 
C3=Death of several people 
C4=Very many people killed 
Frequency of exposure 

Fl=Rare to more often exposure in the hazardous zone 

F2=Frequent to permanent exposure 

Possibility of escape 

Pl=Possible under certain conditions 

P2= Almost impossible 

Probability of occurrence 

Wl=Slight probability (less than 0.3 pa) 

W2=Medium probability (greater than 0.3 pa but below 3 pa) 

W3=High probability (3 pa or above) 


FIG. 47.8 

Example of a risk graph. 


Fire and Gas Monitoring 

As stated before, ISA-84.01-2004 is a performance-based 
standard that specifies the requirements for implementing a 
SIS, based on functional and integrity requirements estab- 
lished during a hazard and risk analysis. As the concept 
of performance-based functional safety matures, there has 
been much industry debate whether or not the fire and gas 
monitoring system (FGS) should be characterized as a SIS. 

Those who like to classify a FGS as a SIS claim that a 
system of gas and flame detectors is an effective mitigation 
layer of protection and should fall within the scope of IEC 
61508 and IEC 61511. This suggests that if a facility chooses 
to implement a FGS as a layer of protection while under- 
standing the operating characteristics of the technology and 
designing a solution that optimizes the functionality of the 
equipment, then the system should conform to the guidelines 
put forth in both IEC 61508 and IEC 61511 standards. 

An FGS that automatically initiates process actions to 
prevent or mitigate a hazardous event and subsequently takes 
the process to a safe state can be considered a SIF as per- 
formed in an SIS. The FGS would need to be composed of the 
appropriate logic solvers, sensors, and final control elements. 

Correct sensor placement, proper system utilization, and 
installation of a diverse set of detection technologies, are all 


important issues to consider when determining whether a 
FGS can technically be classified as a SIS. If the gas or flame 
detectors are not correctly placed and hazardous gases and 
flames are not adequately detected, then the SIF/SIS will not 
be effective, regardless of the system SIL rating. 

ISA Technical Report 

This confusion about the applicability safety standards led 
ISA Standard Panel 84 (SP84) to provide supplemental infor- 
mation on applying hazard and risk analysis to FGS. The 
working group determined that a risk-based approach to fire 
and gas protection would benefit the industry, but it would 
be difficult, if not impossible, to directly adopt ISA-84 stan- 
dard without some additional clarification. Technical report 
ISA-TR84.00.07 provides this additional clarification [5]. 

Essentially, the report states that the ISA-84 risk-based 
approach is a suitable extension of NFPA 72 and EN 54 (when 
those standards are required). The report also makes it clear 
that ISA-84 standard need to be extended with special cal- 
culations that apply to FGSs. These factors include the prob- 
ability of detection of a release. The report recommends that 
the calculations should provide a performance factor referred 
to as “detector scenario coverage,” or “detector geographic 
coverage.” These additional factors are the main addition to 
the ISA-84 process that must be considered for FGS. 

In conclusion, the design and implementation of a fire 
and gas system should be consistent with the underlying 
principles of ANSI/ISA 84.00.01-2004 (IEC61511). The 
safety lifecycle, as specified in ISA TR84. 00.07, can pro- 
vide the basis for design and management (Figure 47.9). 
Prescriptive approaches for designing the components of a 
FGS are generally accepted as good engineering practices. 
In high-risk situations, users should supplement these prac- 
tices with performance-based analysis to improve design 


Ascertain areas of concern | 



Identify risk situations 

5 


| Evaluate the consequences | 

2 


| Evaluate hazard frequency | 



1 Perform unmitigated risk I 
appraisal 

S 


1 Ascertain risk reduction 
requirements 


X 


FIG. 47.9 

Fire and gas safety lifecycle. 



© 2012 by Bela Liptak 






47 Safety in Processes: Rules, Standards, Certification, Culture, and Management 121 


with more effective coverage and lower probability of fail- 
ure. Ultimately, it is up to the user to decide when to apply 
performance-based approaches. The concepts underlying 
a performance-based approach outlined in this technical 
report are suitable for analyzing and designing a fire and gas 
system that may be effectively used in conjunction with other 
good engineering practices. The ISA-TR84.00.07 technical 
report, though not a part of the normative safety standard, is 
a valuable guidance document for FGS suppliers and users. 

Safety System Certification 

Safety system certifications objectively assess the reliability 
and availability of critical control and safety shutdown sys- 
tems and related products. Some advantages include 

• Allows making informed decisions when choosing a 
product for a specific application 

• Allows products and systems to be certified against 
standards 

• Allows installing certified products and achieve rec- 
ognized levels of process safety 

• Gives the manufacturers of safety systems the oppor- 
tunity to improve their products 

• Gives suppliers of safety systems competitive advan- 
tage through documented product quality and 
reliability 

Following industrialization, safety regulations came into 
being when steam engines and boiler explosions started 
causing many deaths. For over a century, TUV has been in 
the forefront of inspection and certification of safety-related 
systems in Germany. TUVs exhaustive certification process 
covers everything from the formulation and documentation 
of the original design concepts, to the manufactured prod- 
uct and its suitability for a defined application. TUV is not 
a single entity, but rather, consists of a number of indepen- 
dent regional organizations. Among these, TUV Rheinland, 
TUV Product Services (a part of TUV Suddeutschland), 
and TUVIT (part of RWTUV) are most active in certifying 
safety-related systems. 

A research project started in the early 1980s by the TUVs 
on computer-based safety systems resulted in a document 
that led to the German safety standard DIN/VDE 0801. Until 
recently, the TUVs certified systems based on DIN standard 
(AK Class 1-7). They now certify systems based on the IEC 
61508 standards. 

Every supplier that pursues this market has systems 
certified by one of the TUVs. Both users and suppliers 
of safety systems have a favorable view of TUV certifi- 
cation. Users want the reassurance of installing a system 
certified by a qualified agency, and suppliers are willing 
to pay the necessary fees to differentiate themselves from 
competitors. 

Other organizations involved in safety system certifi- 
cation include INERIS, UL, BASEEFA, Factory Mutual, 


and many other national organizations. INERIS, a French 
research organization, has close links with French Ministries 
of the Environment and Industry. It has been involved 
in safety system certification since its inception in 1992. 
INERIS has little presence outside France and its clients are 
predominantly French manufacturers. 

Factory Mutual, with headquarters in Norwood, 
Massachusetts, has a long history in product testing and 
approval. The company services its clients through offices 
around the globe and inter-laboratory agreements with test- 
ing facilities in North America, Europe, Asia, Australia, and 
Latin America. 

In late 1997, Factory Mutual and TUV Product Services 
signed a collaborative agreement enabling safety system 
manufacturers to obtain global certification of their products 
at either laboratory. The two labs now also work together to 
develop common interpretation and certification procedures 
for the IEC 61508 standard. As the two organizations have 
name recognition in the different regions of the world, safety 
certification from either organization will be more widely 
accepted than before. The two organizations work in paral- 
lel, when needed, to reduce the time required for certification 
process and time to market. 

Exida, a safety consulting company headquartered in 
Sellersville, Pennsylvania, has initiated a safety certification 
program for end users in the process industries and for instru- 
mentation product manufacturers. The exida Certification 
Program is operated by an independent legal entity based 
in Geneva, Switzerland. Assessors from the exida certifica- 
tion company or other exida organizations are assigned on 
a project basis under management from the exida certifica- 
tion company. Exida assigns individuals to do the IEC 61508 
assessments such that no one who has worked on a project as 
a consultant may participate in the assessment, thus ensuring 
independent audit and assessment. 

Users should only consider those systems that have been 
certified by a TUV or a similar organization for safety appli- 
cations. In certifying a system or a product, these organiza- 
tions usually specify the conditions and restrictions for their 
proper use. Before selecting and using a system or product, an 
end user needs to study and understand those conditions and 
restrictions, copies of which are available from the suppliers. 

MAJOR SAFETY TRENDS 

As users become more knowledgeable about safety issues, 
they perform more thorough safety analysis to determine 
their needs more accurately. They look to reduce risks by 
increasing their focus on overall safety. They want their 
safety systems to satisfy their needs in a more cost effective 
way by closer integration of safety systems with control sys- 
tems. They look for a flexible architecture, more scalability; 
increased functionality for modifying alarm limits based on 
process conditions; and orderly shutdown procedures in case 
of emergency. 


© 2012 by Bela Liptak 



728 Process Management, Maintenance, Safety, and Reliability 


Overall Safety 

The main cause of an SIS failure is not the failure of logic 
solvers, but the failure of field devices. While voting circuits 
and advanced diagnostics represent significant advances in 
the development of the architecture of logic solvers, these 
advancements do not address over 90% of the causes for fail- 
ure. An integrated safety approach is needed in which field 
devices are well integrated with the programmable safety 
systems. 

Today, a protective system should be able to check the 
health of the process inputs and outputs (primarily sensors 
and valves). In fact, the system should incorporate these com- 
ponents in its overall design. I/O-related health functions 
include 

• Sensor validation 

• Environment condition monitoring, such as tempera- 
ture and humidity that can cause sensor degradation 

• Impulse line blockage monitoring 

• Avoiding valve stem seizure 

Electronic components frequently fail due to environmen- 
tal conditions. Many electronic device failures are due to 
elevated humidity and temperature, which need to be moni- 
tored closely. Sensor calibration is also becoming an integral 
part of a safety system. Use of protocols, such as HART and 
Foundation Fieldbus, allows for remote monitoring, diagnos- 
tics, and validation. 

Automated Monitoring and Testing of Field Devices 

Certified smart sensors and final control elements that can 
report their health to the logic solver are now available. This 
increases availability, as an unhealthy sensor can be replaced 
promptly or its input ignored for a voting strategy. Also, prob- 
lems with final control elements can be diagnosed rapidly to 
avert dangerous situations. 

High-performance valve technologies are now becoming 
available for safety applications. When using standard-grade 
valves in safety applications, users must always be concerned 
about the valve’s ability to trip on demand. Control valves are 
being designed to have very low probability of stem seizure 
and packing failure. TUV-certified control valves are now 
also available. SIS design includes testing of limited valve 
movement (partial stroke testing) during normal operations. 

Smart valve positioners also make partial stroke testing 
possible. This gives a much richer diagnostic than is possible 
with manual testing. It also prevents exposing personnel to 
risk while they manually test in the field. Additionally, the 
test can be performed without having to remove the valve 
from the safety scheme. 

The IEC 61511 standard requires that all components of an 
SIS be taken off-line periodically and fully tested. The inter- 
val between these “proof” tests depends on the components in 
question and the required SIL. Automated testing techniques, 


combined with certified devices that have independently veri- 
fied reliability figures, allow the proof test interval to be greatly 
extended, thereby increasing the length of a plant’s runtimes. 

Integration with, but Separation from, 
the Control System 

Until recently, it was common practice to keep controllers 
(logic solvers) used for safety completely independent of those 
used for process control and optimization. In the past, safety 
controllers came from specialized manufacturers who added 
extensive diagnostics and received TUV safety certification. 
Users had no choice but to employ completely different systems 
for control and safety. Some users even mandated that their 
control and safety systems come from different manufacturers. 

There are many reasons to put safety and control func- 
tions in different controllers. These include 

• Independent failures — minimizing the risk of simul- 
taneous failure of a control system along with the SIS 

• Security — changes in a control system not causing 
any change or corruption in the associated SIS 

• Special requirements for safety controllers — diagnos- 
tics, certified fail-safe response, special software error 
checking, protected data storage, fault tolerance, etc. 

The IEC 61508 safety standard is somewhat ambiguous on this 
issue; it generally recommends separation, but does not man- 
date it. (However, the IEC 61513 standard for nuclear industries 
mandates physical separation of control and safety functions.) 
Today, many users in process industries are finding logical 
reasons for using common systems for control and safety func- 
tions. One reason is that this reduces problems associated with 
different programming procedures, languages, installation 
requirements, training, and maintenance (such as the risk that 
these different procedures can contribute to human error and 
possible safety problems). Users generally prefer to avoid hav- 
ing the different service and support mechanisms associated 
with disparate systems. Furthermore, failures due to common 
causes are less of an issue today than before. 

Control and SIS suppliers now offer similar systems for 
both functions that incorporate similar HMI, configuration 
procedure, programming language, and maintenance pro- 
cedures. The systems may be physically separate, but are 
also similar, with a common operator interface. They may 
communicate with each other, but have adequate protection 
against one system corrupting the other (Table 47.9). 

Increased Flexibility and Scalability 

The installed base of systems for critical control or safety 
shutdown is largely either TMR (2oo3) or duplex (loo2D) sys- 
tems. However, increasingly, suppliers also offer other archi- 
tectures. These include quad (2oo4D), hybrid 2oo4/loo2, 
and other combination architectures. Increasingly, suppliers 


© 2012 by Bela Liptak 


47 Safety in Processes: Rules, Standards, Certification, Culture, and Management 729 


TABLE 47.9 

Integration of Safety and Control Systems 
Benefits 

No need for data mapping 
Single set of engineering tools 
Significant reduction in integration efforts 
Lower lifecycle cost 

Challenges 

Putting hardware and software barriers between safety 
and control systems 
Ensuring proper access protections 
Ensuring visual differentiation between control and safety 
environments at workstation level 


Emergency 


Critical 


Normal 



Time 



FIG . 47.10 

Addressing critical conditions. 


offer configuration flexibility, where the user has the choice 
of putting together two or more safety controllers in parallel 
to reduce failure rate and increase availability. 

Safety controllers are becoming more scaleable. They are 
getting smaller, where one controller handles a limited num- 
ber of I/O, but a number them working together can handle 
a much larger application. This is a boon to users, as they no 
longer have to invest in large and expensive systems that may 
be overkill for many of their applications. 

Increased Capabilities of Function Blocks 

A state-of-the-art safety system provides facilities for sim- 
ple sequencing (usually without looping) to allow orderly 
shutdown of a process upon detection of a failure condition. 
Although, a basic control system can normally perform an 
orderly shutdown when faced with an alarm condition, incor- 
porating this function in a safety system results in a signifi- 
cant reduction in risk. 

With today’s safety systems, rich function blocks make 
it easier to configure functions, such as trip levels, deviation 
percentage, pre-trip alarm, and degradation behavior. They 
make it easier to bypass specified alarms during startup. 
Traditionally, these functions are implemented by using 
cause-and-effect matrices in ladder logic. Rich functions 
blocks make these easier to apply, as well. They also support 
more intuitive presentation at runtime. 

CRITICAL CONDITION MANAGEMENT 

Critical condition is the state of a process beyond the normal 
operating state. Today, as the bottom line becomes increas- 
ingly important, manufacturing plants are driven more and 
more toward maximum utilization, which can lead to critical 
conditions. Additionally, as automation technology advances, 
operators face increasingly complex decision-making pro- 
cesses in dealing with critical conditions [6]. 

Adverse environmental impact is increasingly unac- 
ceptable to the society. In addition, greater regulatory 


requirements increase the risk of not preventing a critical 
condition before it occurs. With the general reduction of the 
work force in manufacturing industries and faster employee 
turnover, it’s becoming increasingly rare to find operating 
staffs with adequate experience. All these factors increase 
the risks associated with running a manufacturing plant. 
Thus, critical condition management (CCM) offers addi- 
tional safety protections to process plants and personnel 
(Figure 47.10). 

In the chemical accident in Bhopal, India, an estimated 
2000 people died and another 200,000 were injured. Human 
error and design flaws caused the Three Mile Island accident. 
Engineers and managers manually disengaging the control 
rods caused the Chernobyl disaster. The largest disaster in 
dollars in U.S. manufacturing history not due to natural 
causes was at a petrochemical plant in Texas City in 1989, 
which resulted in $1.6 billion in damages. According to the 
U.S. National Institute of Standards and Technology: the 
inability of control systems and operating personnel to con- 
trol critical conditions costs the U.S. economy at least $20 
billion a year. 

A manufacturing plant may get into critical condition 
when a combination of events not normally expected to hap- 
pen at the same time take place. Safety interlocks and excep- 
tion logic in a conventional control system cannot adequately 
address these combined events and the operators have little 
experience dealing with them. In the Bhopal accident, for 
example, the amount of methyl isocyanate stored in a tank 
was beyond its permitted limit, the temperature alarm was 
turned off, the pressure gauge reading was considered inac- 
curate and ignored, and, workers had little guidance to deal 
with the rapidly developing critical condition (Figure 47.11). 

The good news is that most critical conditions do not lead 
to catastrophic situations, explosions, or fires. They may, 
however, have a severe negative impact on performance and 
profitability, causing 

• Off-specification product 

• Unplanned shutdowns 

• Equipment damage 


© 2012 by Bela Liptak 


730 Process Management, Maintenance, Safety, and Reliability 


■I Human factor 
■ Control equipment 
I ] Process 


Major human factors: 

• Inadequate of no procedure 

• Inadequate or incorrect actions 

• Fail to follow procedures and instructions 

• Inadequate work practice 

FIG. 47.11 

Factors leading to critical conditions. 

• Schedule delays 

• Environmental and safety problems 

• Lower asset utilization 

CCM also provides significant economic benefits to manu- 
facturers. Typical gain from advanced process optimization 
in a large continuous process such as an oil refinery or a pet- 
rochemical plant is around 3%, whereas a CCM application 
can add 5%or more to profits by detecting and avoiding criti- 
cal conditions before they occur, thus reducing the need for 
emergency shutdowns. This alone can generate significant 
improvements to the bottom line. Additional benefits of a 
CCM application come from 

• Predictive alarm detection 

• Operator guidance 

• Significant reduction in unplanned shutdowns 

• Better asset utilization 

Layers of Protection 

A manufacturing plant may have multiple protection layers. 
The first layer is the process control system, which is usually 
a DCS- or PLC-based system. The process control system 
provides safety interlocks and exception logic. A dedicated 


safety shutdown system can provide the next layer of safety 
protection. This would shut down a process when the control 
system is unable to deal with the emergency. The fire and gas 
protection system provides yet another layer of safety. It is 
important to note that not all protection layers are required 
for all processes. 

These protection layers generally work in reactive mode 
and provide little guidance to operators. CCM (also referred 
to as “critical situation management,” or “abnormal situation 
management [ASM]”) works in an anticipatory mode across 
the protection layers, providing guidance to the operating 
and safety personnel. 

Most manufacturing sites hold safety as a high priority. 
To achieve this, typically they have established good manu- 
facturing practices that include automatic control. Secondly, 
they have established safety departments, whose functions are 
to promote safety and be prepared for emergency conditions. 

DCS- and PLC-based programmable control systems pro- 
vide facilities for various alarm functions and shutdown rou- 
tines to take care of many critical conditions. However, these 
systems usually do not provide help in distinguishing critical 
alarms from those that are less significant, predict critical con- 
ditions before they are likely to happen, or provide guidance to 
operators and safety personnel. Commercially available soft- 
ware packages that offer CCM capabilities are now available 
to address the shortcomings of conventional control systems. 

CCM Functions 

CCM functions get their inputs not only from the control sys- 
tem sensors but also from environmental sensors and manu- 
ally entered data from operators and safety personnel. CCM 
outputs are relevant not only to operating personnel but also 
to safety personnel and personnel outside a manufacturing 
area. Remote personnel include police, medical emergency 
response center, and environmental protection agencies 
(Ligure 47. 1 2 and Table 47. 10). 



CCM 


Environmental 

data 


Process data 


Manual data 



Remote 

personnel 


Safety 

personnel 


Operating 

personnel 


FIG. 47.12 

CCM functions. 


© 2012 by Bela Liptak 



47 Safety in Processes: Rules, Standards, Certification, Culture, and Management 731 


TABLE 47.10 

Control System vs. 

CCM 


Function 

Safety System 

CCM 

Alarm detection 

Reactive 

Predictive 

Alarm management 

Non-deductive 

notification 

Deductive notification 

Personnel guidance 

Little 

Significant 

Inputs 

Largely from sensors 

Sensors and expert 

Corrective action 

Automatic 

Operator initiated 

Used by 

Operating personnel 

Operating and safety 
personnel 


CCM functions usually operate in a knowledgebase envi- 
ronment with an inference engine. Some CCM packages 
include neural networks, which learn with experience to pro- 
vide improved decision support to operators. 

In most applications, CCM acts in an advisory role, 
however, there are situations where a CCM can take correc- 
tive actions automatically. One example would be setpoint 
adjustments to improve quality or throughput. These actions 
are reported to the operators and are recorded. Significantly, 
CCM functionality does not replace any of the safety protec- 
tion layers, but instead, complements them (Table 47.11). 

To enhance safety and overall performance of a manu- 
facturing site, users should look for computer-based systems 
that can predict critical conditions, filter alarm messages, and 
guide both operating and safety personnel as needed, thus 
providing the missing link between sustained performance 
and costly disruptions. 


TABLE 47.11 

CCM Functions 

Functions 

Deductive alarm notification 

Alarm analysis and fault diagnosis for individual equipment 
Alarm monitoring and filtering for entire plant 
Predictive decision support 

Help operating personnel identify root cause of alarm 
Help operators take right corrective actions 
Guidance to operating personnel 
Notify potential hazard conditions 
Actions required to avoid hazard conditions 
Actions required to minimize the effects of a disaster 
Guidance to safety personnel 

Notify potential hazard conditions 
Actions required to avoid hazard conditions 
Actions required to minimize effects of a disaster 
Remote notifications 

Notify medical, health, police, and civic authorities 
Disaster recovery 

Guidance for disaster recovery 

Guidance for replacing/fixing individual equipment 


Wide Use of CCM Functions 

Any manufacturing operation where critical conditions 
would cause unacceptable consequences would benefit from 
using a CCM package. They include 

• Large and complex process plants, such as petro- 
chemical and polymer manufacturing, oil refineries, 
conventional power plants, and nuclear power plants 

• Unmanned operations, such as off-shore oil platforms, 
oil and gas pipelines, and unmanned tank farms 

• Manufacturers of high-value products, such as phar- 
maceuticals, and bio-tech 

• Operations that require frequent start-ups and shut- 
downs, such as specialty chemicals, food and bever- 
age, and metals and mining 

CCM helps operating and safety personnel avoid critical 
conditions in a manufacturing plant and bring it back to a 
safe state from a critical condition. It provides guidance to 
manufacturing site personnel using knowledge of the process 
behavior in states of transition. In a disaster recovery situa- 
tion, CCM can also provide guidance to operating and safety 
personnel from the viewpoint of the entire manufacturing 
operations. 

ASM Consortium 

The ASM Consortium is a group of major companies and uni- 
versities that have jointly invested in researching and devel- 
oping tools and products to address the problems associated 
with critical conditions. Honeywell founded and continues 
to lead this consortium. Honeywell’s @sset.MAX suite of 
products is based on the work of the ASM Consortium. It is 
a diagnostic and decision support system that includes alarm 
management, event analysis, process plant modeling, and 
plant asset management. However, there are other suppliers 
that offer products with CCM functions who are not associ- 
ated with the ASM Consortium. 

A similar effort was made in Europe with the launch- 
ing of CHEM, an advanced decision support system for 
chemical and petrochemical manufacturing processes. This 
three-year Europe-based project began in April 2001; with 
an eight-nation consortium including both EU and applicant 
country partners and led by the Institut Frangais du Petrole. 
Participants include manufacturing companies, academic 
institutions, and industrial contractors. 

The general motivations behind both CHEM and the 
ASM Consortium have much in common — to use technology 
to support improved early warning, diagnostics, and deci- 
sion making in process plants. The common goal is to reduce 
and preferably prevent undesirable incidents, ranging from 
substandard performance to major accidents. There are also 
some common threads in the technology — both projects are 
trying to exploit developments in modern IT and in underlying 
theory, such as deep process models, AI, and decision theory. 


© 2012 by Bela Liptak 



732 Process Management, Maintenance, Safety, and Reliability 


Off-the-Shelf CCM Packages 

In the past, major manufacturers created and implemented 
custom CCM functions for their internal use. This is chang- 
ing as a number of suppliers now offer software packages 
that address CCM functions. However, the range of functions 
offered by these suppliers varies considerably. To maximize 
return on assets, all manufacturers should be looking for sys- 
tems that help them effectively manage critical conditions. 


SAFETY SYSTEM SELECTION 

Selecting the best safety system for an application is largely 
dependent on the specific needs and requirements of the user. 
Before embarking on the selection procedure, a user should 
do a study to determine the safety protection requirements for 
the application. The requirements should conform to safety 
standards and meet the guidelines of regulatory agencies such 
as OSHA(Occupational Safety and Health Administration) 
and EPA (Environmental Protection Authority). In instances 
where the in-house engineering personnel do not have the 
necessary experience in safety study and risk reduction pro- 
cedures, outside help can (and should) be obtained from a 
third-party consultant or established safety system supplier. 

Conventional control systems provide the first line of 
defense against hazardous conditions. Good process control 
and incorporating alarming and effective shutdown proce- 
dures in basic control systems can reduce risks considerably. 
Additional protection measures, such as hardware interlocks, 
release valves, and improved operator access for manual inter- 
vention, can further reduce or eliminate a number of risks. In 
many situations, containment systems, such as dikes and fire- 
walls, can reduce the effects of an accident. Programmable 
safety systems are then needed if these actions do not reduce 
the risks to an acceptable level. 

Once the need for a safety system is established, a user 
should consider the ideal system that meets requirements. 
Today there are many different suppliers and systems avail- 
able for consideration. Users should also take into account the 
restrictions specified by the certifying organization. These 
restrictions include operating conditions, requirements of 
redundant I/O, proof test intervals, and requirements of shut- 
ting down after a processor failure. Speed of response may 
also be an important issue for an application. The response 
speed of a safety system must be considered along with the 
response time of all field instruments (Table 47.12). 

When evaluating a particular safety system, a user should 
take into account its installed base and product maturity. 
Ease of integration of a safety system with the control system 
is also an important consideration. Common human inter- 
face and common look and feel of the configuration software 
for the two systems will reduce learning efforts of engineers 
and operators. Facilities that allow the control system to read 
safety system status and real-time data will enable the two 
systems to work together in a unified fashion. 


TABLE 47.12 

System Selection Criteria 
TUV certification and restrictions 
Requirement speed of response 
Product maturity and installed base 
Ease of integration to your control system 


Supplier evaluation is at least as important as system eval- 
uation. A user should take into account supplier knowledge 
and experience in safety analysis and regulatory require- 
ments. A user should put significant weight on a supplier’s 
knowledge and experience in applying safety systems in 
similar applications. Finally, users should consider local sup- 
port and the ready availability of spare parts (Table 47.13). 

SAFETY CULTURE 

“Safety culture” is a term the International Nuclear Safety 
Advisory Group introduced in 1986 in a report published 
after the Chernobyl disaster. A widely cited definition from 
the U.K. Health and Safety Commission is, “The product of 
individual and group values, attitudes, perceptions, compe- 
tencies, and patterns of behavior that determine the commit- 
ment to, and the style and proficiency of, an organization’s 
health and safety management.” An appropriate measure of 
safety culture is how an organization behaves when no one 
is watching (7]. 

Safety culture is not only about improving safety atti- 
tudes in all levels of employees, but also about good safety 
management with a holistic approach. Good safety culture 
implies a constant assessment of the significance of events 
and issues pertaining to safety so that the appropriate level of 
attention can be given. Establishing and developing positive 
attitudes toward safety culture is a community effort, which 
is cost effective. 

Safety Culture in an Organization 

Every organization has a safety culture, operating at some 
level. Cultures are based upon shared values, beliefs, and per- 
ceptions that determine what is to be regarded as the norms 
for the organization; that is, cultures develop from societal 
agreements about what constitutes appropriate attitudes and 
behaviors. If the organization feels strongly about a particu- 
lar behavior, there will be little tolerance for deviation, and 


TABLE 47.13 

Supplier Selection Criteria 
Knowledge and experience in HAZOP analysis 
Knowledge of regulatory requirements 
Industry application expertise 
Local support 


© 2012 by Bela Liptak 



47 Safety in Processes: Rules, Standards, Certification, Culture, and Management 733 


there will be strong societal pressures for conformance. Each 
individual in the organization has a role in reinforcing the 
behavioral norms. 

In any culture, there is a lot of inertia built into the way an 
organization operates, and safety culture is no exception. The 
challenge for management is to overcome this inertia to suc- 
cessfully navigate the organization to a higher level of safety 
awareness and culture. 

Successful implementation of a system and its associ- 
ated policies and procedures depend upon the actions of 
individuals and groups. For example, a procedure may prop- 
erly reflect the desired intent and be adequately detailed in 
its instructions. However, successful execution of the pro- 
cedure requires the actions of properly trained individuals 
who understand the importance of the underlying intent, who 
accept their responsibility for the task, and who appreciate 
that taking an obviously simplifying but potentially unsafe 
shortcut would be, quite simply, wrong. 

The collective values of a group help shape the beliefs 
and attitudes of an individual, which, in turn, play a signifi- 
cant role in determining individual behaviors. The actions 
and inactions of personnel at all levels of the organization 
provide evidence of the strength of a company’s safety 
culture. 

Industry has gradually accepted the importance of iden- 
tifying the management system failures that lead to incidents 
and near misses (i.e., identifying root causes). Regardless 
of whether one seeks to establish a new safety management 
system, repair an existing under-performing system, or fine- 
tune a basically sound system to achieve higher performance, 
the actions or inactions of the individual working within the 
system can ultimately be the limiting performance factor. 
Creating and sustaining a sound safety culture can be a deci- 
sive factor in determining the performance of the individual 
and the system. 

Management’s Role in Fostering Safety Culture 

Senior executives of companies that manufacture and handle 
dangerous and flammable materials are always between a 
rock and a hard place in demanding cost reductions without 
increasing risks. The best way to reduce risk in a manufac- 
turing plant is to design inherently safe processes. However, 


inherent safety is rarely achievable in today’s manufactur- 
ing environments. Risks prevail wherever hazardous or toxic 
materials are stored, processed, or handled. 

Industries, such as oil and gas, chemical, and power gen- 
eration, are by their nature, dangerous. There is no limit to 
what can be spent to make them safer. However, if there were 
no limit to spending, the products would be prohibitively 
expensive. Saying that “safety must always come first,’’ is 
empty rhetoric. It ignores the real social, ethical, and com- 
mercial dilemmas faced by conscientious commentators, 
regulators, and businesspeople. 

However, an organization with a vigorous safety culture 
is always in a more secure position to avoid accidents and is 
better prepared when such an incident happens. Management 
in high-risk industries needs to determine the current level of 
safety culture in their organizations, decide where they wish 
to take it, and then chart and navigate a path to get there. 
Management responsibilities include not only rigorous safety 
planning, but also inculcating strong safety culture within 
their organization. People working within a strong safety 
culture feel more secure and are motivated to make the work 
place safer for everyone. 

Enhancing Safety Culture 

Following are some of the key areas that management may 
want to consider for enhancing safety culture in a manufac- 
turing organization (Table 47.14): 

1. Corporate commitment and responsibilities : A cul- 
ture is the fabric of people’s values, beliefs, and per- 
ceptions. For a safety culture to survive and flourish, 
a corporation not only needs to commit itself to a 
safety culture but it also needs to instill a shared vision 
among its employees along with established expecta- 
tions and accountability. 

Corporate commitment is crucial to nurture and 
maintain safety culture in an organization. This 
requires leadership and support from the highest 
level, such as the company president or CEO, with a 
fully defined roadmap and goals. It also requires that 
individual employees be empowered on safety issues, 
open communications, and mutual trust. 


TABLE 47.14 

Ways to Enhance Safety Culture 

Ways to enhance safety culture in an organization 
Articulate a fully defined safety culture, which is supported by the top management 
Employ one or more full time safety managers reporting to the highest levels 

Set up procedures for reducing incidents, which include: proactive asset management and written SOPs that are followed and maintained 
Perform comprehensive hazard assessment after every incident or accident 

Encourage employees to report on hazard conditions and set up a safety blog website that is open all employees 

Set up safety training and refresher courses for all new and veteran employees, on-site contractor personnel, and all other visitors 

Actively encourage workers to participate in safety activities allowing them to influence safety policy implementations 


© 2012 by Bela Liptak 



734 Process Management, Maintenance, Safety, and Reliability 


A corporation is responsible for inculcating good 
safety culture among all its employees. This includes: 

• Shared values, beliefs, and perceptions on safety 

• Clearly defined expectations and accountability 
on safety issues 

• Set up a process to improve safety on a continu- 
ous basis 

2. Programs and procedures and their management'. 
Organizations that take safety seriously need to have 
documented safety programs and procedures. These 
include comprehensive safety audits, mandatory pro- 
cess hazard analysis as a part of engineering design, 
and preventive maintenance. These also include com- 
pliance with safety standards such as OSHA 1910 and 
1EC 61511/ISA-84 and following the lifecycle man- 
agement procedures as outlined in the standards. 

Documented safety programs and procedures by 
themselves achieve little unless they are properly 
managed in a proactive fashion. Management respon- 
sibilities include not only rigorous safety planning, 
but also inculcating strong safety culture within their 
organization. Here, a full- or part-time safety man- 
ager plays a crucial role. A safety manager needs 
to have significant authority reporting to the senior 
management at the highest level. The safety manager 
should be able handle complaints, keep employees 
updated on safety issues, and offers incentives to indi- 
viduals and groups that excel in reducing hazards and 
injuries. 

3. Equipment, practice, and reporting : A corporation 
needs to have proper equipment and proper proce- 
dures for reducing incidents, including 

• Proactive management of all assets, such as process 
equipment, control systems, and safety systems 

• Written standard operating procedures (SOPs) 
that are followed and maintained 

• Comprehensive hazard assessment after every 
incident or accident 

Good safety culture encourages reporting not only 
incidents and accidents, but also near-miss situa- 
tions. All employees need to be encouraged to report 
problems of any magnitude without negative con- 
sequences. To close the loop, employees need to be 
kept informed of the corrective actions taken. Proper 
reporting includes 

• Encouraging all employees to report on hazard 
conditions 

• Taking appropriate actions based on all hazard 
reports 

• Setting up a safety blog website open to all 
employees 

4. Training and worker empowerment: Training, which is 
very important in fostering safety culture, includes 

• Proactive safety training for all new and veteran 
employees, on-site contractor personnel, and all 
other visitors. 


• The training should range from formal classroom 
instructions, to computer-based training, to train- 
ing simulators. 

• Keeping all safety training resources up to date. 

Worker empowerment is crucial in fostering safety culture. 
Workers should not only be encouraged to report on safety 
issues, but also empowered to take part in and influence 
safety policies, hazard reviews, and accident investigations. 
An employee should be sufficiently empowered to challenge 
his or hers supervisor’s decision when safety is at stake. 
Employee empowerment includes 

• Active encouragement to participate in safety activities 

• Allowing workers to influence safety policy 
implementations 

• Allowing workers to opt-out from dangerous activities 
without any fear of recrimination 

Finally, an organization may periodically conduct surveys 
amongst its staff to ascertain the level of safety culture and 
the need for enhancement. This may be carried out on a com- 
pany wide basis, or at each of its manufacturing sites. 


Acknowledgments 

The author acknowledges the help and support given by ARC 
Advisory Group and extends special thanks to Paul Miller 
for proofreading and suggesting improvements. 


References 

1. IEC 61508 Parts 1 to 7, International Standard, Functional 
safety of Electrical/Electronic/Programmable Electronic 
Safety-Related Systems, Geneva, Switzerland: International 
Electrotechnical Commission, 2000. 

2. IEC61511 Parts 1,2, and 3, International Standard, Functional 
Safety — Safety Instrumented Systems for the Process Industry 
Sector, Geneva, Switzerland: International Electrotechnical 
Commission, 2003. 

3. ANSI/ISA-84.00.01 Parts 1, 2, and 3, Draft Standard, 
Functional Safety: Safety Instrumented System for the Process 
Industry Sector, Research Triangle Park, NC: ISA, 2003. 

4. ARC Report, Solution Guide and Strategies for Safety 
Lifecycle Management, Dedham, MA: ARC Advisory Group, 
2008'. 

5. ISA TR84. 00.07, Technical Report, The Application of ANSI/ 
ISA 84.00.01-2004 Parts 1-3 (IEC 61511 Parts 1-3 Modified ) 
for Safety Instrumented Functions (SIFs) in Fire & Gas 
Systems, Research Triangle Park, NC: ISA, 2009. 

6. ARC Report, Use Critical Condition Management to Improve 
Your Bottom Line, Dedham, MA: ARC Advisory Group, 
2002 . 

7. ARC Report, Best Practice for Process Safety Culture, 
Dedham, MA: ARC Advisory Group, 2007. 


© 2012 by Bela Liptak 



47 Safety in Processes: Rules, Standards, Certification, Culture, and Management 735 


Bibliography 

ARC Report, Critical Control & Safety Shutdown System Strategies, 
Dedham, MA: ARC Advisory Group, 1999. 

Goble, W.M., Control System Safety Evaluation and Reliability, 
Research Triangle Park, NC: ISA, 1998. 


Gruhn, P. and H.L. Cheddie, Safety Shutdown Systems: Design, 
Analysis, and Justification, Research Triangle Park, NC: ISA, 
2006. 

Marzal, E.M. and E.W. Schrapf, Safety Integrity Level Selection, 
Research Triangle Park, NC: ISA, 2002. 


© 2012 by Bela Liptak 



